npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@fluvial/csp

v0.5.0

Published

A fluvial-compatible Content Security Policy middleware

Downloads

13

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

cwadrupldijjitcwadrupldijjit

Keywords

fluvialhttp/2http2securitycsp

Readme

@fluvial/csp

Content-Security-Policy (often shortened to "csp") is a header that can be set to help restrict the sources of content used on a website. It can help restrict where JavaScript, CSS, images, and other assets can originate, which is necessary to mitigate many attack vectors that focus on injecting something into your website without your knowledge. A more full overview of CSP can be found on MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP.

This middleware is written based on the CSP portion of the helmet package. It isn't a straight-across port, but it keeps to the defaults that helmet provides. It also adds many helpful methods to the Response object that can dynamically include SHA256+ hashes and nonces to the CSP header, which makes it easier for compilation tools and server-side rendering solutions to tap into it.

Basic usage

// e.g., in a main application file
import { csp } from '@fluvial/csp';

app.use(csp());

API documentation:

csp(options?: CspOptions)

Arguments:

  • options (optional) - CspOptions, which is an object with the following properties:
    • directives (optional) - an object whose keys are either camelCase or kebab-case csp directives and whose values are an array of strings that are different permitted sources
    • reportOnly (optional) - boolean for if CSP infractions should be sent in a report to a URL specified in the Report-To header (see example here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to)

Returns a Fluvial function that adds the CSP header as configured when provided to a Router or Application.

Response methods added

res.addNonceToCsp(directiveName: string, nonceValue: string): Response

Adds a nonce to the specified directive and updates the header. A "nonce" is an unguessable, unique value that can be used to identify a script as being okay to load. The value should be generated per request (never the same between requests) so that the nonce cannot be copied and used in the stead of the real script by malicious code running on your website.

Arguments:

  • directiveName - string name of the directive you wish to update (e.g., 'defaultSrc' or 'default-src')
  • nonceValue - string value that is the nonce you wish to use

Returns the same Response object that it was called on, which can be useful for chaining.

res.addSha256ToCsp(directiveName: string, hashOrBytes: string | Buffer): Response

Adds a SHA256 hash to the specified directive.

Arguments:

  • directiveName - string
  • One of
    • hash - string containing the pre-generated SHA256 hash
    • rawBytes - Buffer containing the file's contents for which it will generate the hash

Returns the same Response object that it was called on, which can be useful for chaining.

res.addSha384ToCsp(directiveName: string, hashOrBytes: string | Buffer): Response

Adds a SHA384 hash to the specified directive.

Arguments:

  • directiveName - string
  • One of
    • hash - string containing the pre-generated SHA384 hash
    • rawBytes - Buffer containing the file's contents for which it will generate the hash

Returns the same Response object that it was called on, which can be useful for chaining.

res.addSha512ToCsp(directiveName: string, hashOrBytes: string | Buffer): Response

Adds a SHA512 hash to the specified directive.

Arguments:

  • directiveName - string
  • One of
    • hash - string containing the pre-generated SHA512 hash
    • rawBytes - Buffer containing the file's contents for which it will generate the hash

Returns the same Response object that it was called on, which can be useful for chaining.

Contributing

See something you want this middleware to do? Find a bug? Feel free to open an issue or a PR with the fix or feature you want to add.